IoT worm can hack Philips Hue lightbulbs, spread across cities

Easy chain reaction hack would spread across Paris, boffins say

Researchers have developed a proof-of-concept worm they say can rip through Philips Hue lightbulbs across entire cities – causing the insecure web-connected globes to flick on and off.

The software nasty, detailed in a paper titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF], exploits hardcoded symmetric encryption keys to control devices over Zigbee wireless networks. This allows the malware to compromise a single light globe from up to 400 metres away.

The worm can then spread from a single smart bulb to those nearby thanks to the use of these skeleton keys.

The attack is the handiwork of researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten of the Weizmann Institute of Science, Israel, along with Colin O'Flynn of Dalhousie University, Canada.

It triggered Philips to release a firmware patch for owners of its "Hue" connected bulbs. This is not without some risk as users must first set up the Philips Hue app in order to receive the automatic patches, and do so before attacks take place since the worm can easily override update attempts.

The researchers say "... the worm can rapidly retake new bulbs which the user has attempted to associate with the legitimate base station, making it almost impossible for vulnerable bulbs in range of another infected bulb to receive an [over the air] patch before the worm has spread."

The quartet found the Philips Hue update mechanism, while requiring some cryptographic validation, was flawed in that the AES-CCM keys universal to all Hue lightbulbs could be extracted using a side-channel attack.

(We note that, in general, a side-channel attack isn't needed to crack an embedded device that uses symmetrical keys: these hardcoded secrets can be extractedfrom the firmware data.)

Here's how the team described their malware:

The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

There is no validation between Philips Hue globes, allowing attacks to spread.

Researchers employed percolation theory to simulate an attack on bulbs across Paris. They find there are a sufficient number of the pwnable bulbs in the City of Lights for an attack to spread.